Overview
Draft a due diligence issues report (red flag report) for mergers and acquisitions, synthesizing findings from financial, legal, IP, HR, operational, environmental, tax, and data privacy workstreams into risk-ranked narratives with deal implications, financial exposure estimates, RWI insurability notes, and protective provisions.
Investment committees need more than a list of findings — they need risk contextualized to deal size, quantified in dollar ranges, and paired with specific protective provisions (indemnity caps, basket types, survival periods, escrow sizing). This skill produces a complete, decision-ready report that bridges the gap between workstream advisors and the deal team.
Getting Started
Add your source materials to the project workspace — data room indexes, workstream memos, management presentations, financial models, and any prior diligence reports — then activate the M&A Due Diligence Issues Report skill. The agent will guide you through deal context gathering, workstream finding collection, risk ranking, and report generation.
Example Conversation
Below is an example of how a typical M&A diligence report session unfolds. The agent gathers deal context, collects findings across workstreams, risk-ranks them relative to deal size, and drafts the report.
You: We’re acquiring a healthcare SaaS company called MedFlow. I need a diligence issues report for the investment committee meeting next week.
Agent: I’ll help you draft the due diligence issues report. Let me gather the deal context first:
- What is the deal structure — asset purchase, stock purchase, or merger?
- What is the approximate deal value?
- What is the buyer’s risk appetite — conservative, moderate, or aggressive?
- What is the strategic rationale for the acquisition?
- Is Representations and Warranties Insurance (RWI) being considered?
- What is the target closing date?
You: Stock purchase at $85M enterprise value. We’re a PE fund — moderate risk appetite. Strategic rationale is expanding our healthcare vertical. RWI is planned. Target close is Q3 2025.
Agent: Good — stock purchase means full successor liability, which increases the scope of legal and environmental diligence. Let me now collect findings by workstream. Let’s start with the ones you have ready. Which workstream memos are available?
You: Financial and legal are done. Here are the key findings: Financial — revenue concentration (top 3 customers = 62% of ARR), one customer is 28% alone. Quality of earnings shows $2.1M in non-recurring revenue included in normalized EBITDA. Legal — there’s a pending HIPAA enforcement action from HHS, and two of their key customer contracts have change-of-control termination clauses.
Agent: I’ve recorded those findings. Let me do the initial risk ranking:
- Customer concentration (28% single customer) — Rating: Critical. At $85M deal value, losing this customer ($~23.8M ARR impact based on 28% of implied $85M revenue) would destroy the investment thesis. This needs a special indemnity and an escrow.
- HIPAA enforcement action — Rating: High. Pending government investigation with unknown financial exposure. Estimate $2M–$8M range based on recent HHS settlements for similar SaaS companies. This is a known issue — RWI will not cover it. Seller must retain liability.
- Change-of-control termination clauses — Rating: High. Two contracts at risk. Need to identify the revenue value and pursue consent pre-close as a condition precedent.
- Non-recurring revenue ($2.1M) — Rating: Medium. Standard QoE adjustment. Purchase price adjustment recommended.
I still need findings from IP, HR, operational, environmental, tax, and data privacy workstreams. Which should we work on next?
You: IP found an open-source copyleft issue — they’re using AGPL-licensed components in their core product without proper compliance. HR flagged that the CTO and VP Engineering have no non-compete agreements and both have been approached by competitors.
Agent: Two more high-severity findings:
- AGPL copyleft exposure — Rating: High. AGPL requires source code disclosure for network-accessible software. If MedFlow’s core product links AGPL code, they may be obligated to release their source. Estimated remediation cost $500K–$1.5M (clean-room rewrite of affected modules). RWI may cover this as an IP rep breach if it was unknown to the seller.
- Key employee retention (CTO + VP Eng) — Rating: High. No non-competes, active competitor recruitment. Recommend retention agreements with 24-month vesting tied to earnout, plus a $2M key-person escrow.
I’ve run the completeness checker — 5 workstreams are still missing (operational, environmental, tax, data privacy, and the remaining portions of legal). The report has 6 findings so far with 1 critical and 4 high. Want to continue collecting findings, or should I note the remaining workstreams as “pending” and draft what we have?
Sample Output Excerpt
Below is a representative excerpt from a generated issues report, showing a Critical finding with full deal implications and protective provisions — the format the investment committee expects.
Finding F-01: Customer Revenue Concentration — Single Customer at 28% of ARR
Workstream: Financial | Severity: Critical | Financial Exposure: $20M–$24M
Description: MedFlow derives approximately 28% of its annual recurring revenue ($23.8M) from a single customer, Regional Health Partners (RHP). The top three customers collectively represent 62% of total ARR. The RHP master services agreement expires in 18 months and contains a 90-day termination for convenience clause. RHP has not provided a renewal commitment and is known to be evaluating competing platforms.
Deal Implication: Loss of the RHP contract would reduce ARR by $23.8M, representing approximately 28% of the $85M enterprise value. At the implied 6.5x revenue multiple, this translates to a potential valuation impact of $20M–$24M. This single-customer dependency represents a fundamental risk to the investment thesis and requires structural protection beyond standard reps and warranties.
RWI Insurability: RWI will not cover a post-close customer departure that was known and disclosed during diligence. This risk must be allocated to the seller through retained liability or structural protections.
Recommended Protective Provisions:
| Protection | Detail |
|---|---|
| Special Indemnity | Seller indemnity for $15M in the event RHP terminates within 24 months post-close. No cap, no basket — carved out of the general indemnity cap. Survival: 24 months. |
| Escrow | $8M held in escrow for 18 months to cover partial loss scenario (e.g., RHP downsizes scope rather than full termination). |
| Condition Precedent | Seller to obtain RHP written confirmation of intent to renew (or, at minimum, confirmation that RHP has no current plans to terminate) prior to closing. |
| Earnout Structure | Tie 20% of purchase price ($17M) to 24-month revenue retention targets, with accelerators if RHP renews at current or higher levels. |
| Key Customer Non-Solicit | Seller and seller’s principals agree to 36-month non-solicitation of top-10 customers by ARR. |
Valuation Impact Summary
| Finding | Severity | Exposure Range | Recommended Adjustment |
|---|---|---|---|
| F-01: Customer concentration (RHP 28%) | Critical | $20M–$24M | $17M earnout + $8M escrow |
| F-02: HIPAA enforcement action | High | $2M–$8M | $5M seller-retained indemnity |
| F-03: Change-of-control termination clauses | High | $4M–$6M | Consent as CP; $3M escrow |
| F-04: Non-recurring revenue in EBITDA | Medium | $2.1M | Purchase price reduction |
| F-05: AGPL copyleft exposure | High | $500K–$1.5M | IP rep + $1M escrow |
| F-06: Key employee retention risk | High | $3M–$5M | $2M key-person escrow |
| Aggregate | $31.6M–$46.6M | Net adjustments: ~$10M price reduction + $14M escrow + $17M earnout |
Built-in Validation
The skill includes a completeness checker that validates the diligence report against professional standards before the narrative is drafted. The agent runs it automatically after collecting findings and surfaces gaps so you can address them iteratively.
What the validator checks
| Check Category | What It Validates | Severity |
|---|---|---|
| Deal context | Deal structure (asset/stock/merger), deal value, risk appetite | ERROR if structure or value missing; WARNING for risk appetite |
| Workstream coverage | All 7 standard workstreams present (financial, legal, IP, HR, operational, environmental, tax) | WARNING per missing workstream |
| Finding titles | Every finding has a descriptive title for cross-referencing | ERROR if missing |
| Severity ratings | Every finding rated critical/high/medium/low | ERROR if missing or invalid |
| Financial exposure | High and critical findings have dollar-range estimates | ERROR if missing |
| Deal implications | High and critical findings describe impact on valuation/structure | ERROR if missing |
| Protective provisions | High and critical findings include specific reps, indemnities, escrows | ERROR if missing |
| Executive summary | Report includes an executive summary with overall recommendation | WARNING if missing |
| Cross-workstream risks | Risks spanning multiple workstreams are identified | WARNING if missing |
| Valuation impact | Aggregate exposure table with recommended adjustments | WARNING if missing |
Severity levels
- ERROR — A required element is missing. The report is professionally unusable without it — the investment committee cannot act on findings that lack quantification or protective provisions.
- WARNING — A recommended section is absent. May not prevent the report from being used but will draw questions from deal counsel or the IC.
Example validation output
========================================================================
M&A Due Diligence Report — Completeness Check
========================================================================
Workstreams: 4/7
Total findings: 6
--- Errors (must fix) ---
[ERROR] 1 high/critical finding(s) missing financial exposure estimate:
"HIPAA enforcement action" (legal). Provide at minimum a dollar range
(e.g. '$2M–$5M potential exposure').
[ERROR] 1 high/critical finding(s) missing protective provisions:
"Key employee retention risk" (hr). Specify rep/warranty, indemnity
cap, basket type, survival period, and any escrow/holdback.
--- Warnings (recommended) ---
[WARNING] Workstream "operational" not present. Add it or document why
it was excluded.
[WARNING] Workstream "environmental" not present. Add it or document
why it was excluded.
[WARNING] Workstream "tax" not present. Add it or document why it was
excluded.
[WARNING] Missing cross-workstream risk analysis section. Identify
risks that span multiple workstreams (e.g. a cybersecurity gap that
is both operational and legal).
========================================================================
The agent runs validation automatically after each workstream is added and surfaces findings inline, so you always know what gaps remain before the report goes to the investment committee.